void-docs icon indicating copy to clipboard operation
void-docs copied to clipboard
verified publisher icon void-linux

config/containers-and-vms/chroot: create more detailed chroot guide

Open classabbyamp opened this issue 3 years ago • 2 comments

  • based on the section of installation/musl
  • remove proot
  • add xchroot, xbps-uchroot, xbps-uunshare, and bwrap

supercedes:

  • closes #300
    • I based some of my work on this
  • closes #610
    • I feel that this PR is too focused on providing a specific example of using bwrap, not providing general guidance

Work still needed:

  • [x] is this in the right section?
  • [ ] should xbps-uunshare be mentioned?
  • [ ] should xbps-* get example invocations?
  • [ ] get the bwrap instructions to work
    • currently, I can enter the chroot with bwrap, but I don't have perms to access sockets?
host $ bwrap --dev /dev --proc /proc --tmpfs /tmp --bind /sys /sys --bind /run /run --ro-bind /etc/resolv.conf /etc/resolv.conf --bind musl / sh
bwrap $ ping -v 8.8.8.8
ping: socket: Operation not permitted
ping: socket: Operation not permitted
bwrap $ strace ping -v 8.8.8.8
...
socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP) = -1 EACCES (Permission denied)
socket(AF_INET, SOCK_RAW, IPPROTO_ICMP) = -1 EPERM (Operation not permitted)
...
socket(AF_INET6, SOCK_DGRAM, IPPROTO_ICMPV6) = -1 EACCES (Permission denied)
socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6) = -1 EPERM (Operation not permitted)

classabbyamp avatar Sep 05 '22 21:09 classabbyamp

currently, I can enter the chroot with bwrap, but I don't have perms to access sockets?

Can you check whether something like curl is working? ping is suid and depends on it for the creation of raw sockets, which indeed won't work. I'm unsure what's up with the DGRAM ones, though.

I managed to forget to mention that we do have a bwrap chroot style in void-packages and it does work, so it's worth checking it out. But this already does everything that style does, so I don't think there are any missing flags.

ericonr avatar Sep 08 '22 03:09 ericonr

Can you check whether something like curl is working?

curl works, but interestingly xbps ssl stuff doesn't:

$ bwrap --bind musl / --bind /dev /dev --bind /sys /sys --ro-bind /etc/resolv.conf /etc/resolv.conf sh
$ xbps-install -S
[*] Updating repository `https://repo-default.voidlinux.org/current/musl/x86_64-musl-repodata' ...
Certificate verification failed for /C=US/O=Internet Security Research Group/CN=ISRG Root X1
SSL_connect returned 1
ERROR: [reposync] failed to fetch file `https://repo-default.voidlinux.org/current/musl/x86_64-musl-repodata': Operation not permitted

classabbyamp avatar Sep 08 '22 03:09 classabbyamp